1. Ilo 4 Error Installing License Demo License Previously Installed

This section documents the MessageID values that may be returned in ExtendedError responses to HTTP operations.

Privileged Password Management, Administrative Password Management, Password Manager, PassTrix, Password, Password Management.

Base.0.10.AccessDenied

While attempting to access, connect to, or transfer to/from another resource, the service was denied access.

Severity: Critical

Resolution: Verify that the URI is correct and that the service has the appropriate credentials.

Base.0.10.AccountForSessionNoLongerExists

The account for current session is removed and the current session is also removed.

Severity: OK

Resolution: Attempt to connect using a valid account.

Base.0.10.AccountModified

The account was modified successfully.

Severity: OK

Resolution: None.

Base.0.10.ActionNotSupported

The action supplied in the POST operation is not supported by the resource.

Severity: Critical

Resolution: The action was invalid or the wrong resource was the target. See the implementation documentation for assistance.

Base.0.10.ActionParameterDuplicate

The action was submitted with a duplicate parameter in the request body.

Severity: Warning

Resolution: Resubmit the action with only one instance of the parameter in the request body.

Base.0.10.ActionParameterMissing

The requested action is missing a parameter that is required to process the action.

Severity: Critical

Resolution: Resubmit the action with the required parameter in the request body.

Base.0.10.ActionParameterNotSupported

The action parameter is not supported on the target resource.

Severity: Warning

Resolution: If the operation did not complete, remove the parameter and resubmit the request.

Base.0.10.ActionParameterUnknown

An action was submitted, but a supplied parameter did not match any of the known parameters.

Severity: Warning

Resolution: If the operation did not complete, correct the invalid parameter and resubmit the request.

Base.0.10.ActionParameterValueFormatError

The value type is correct, but the format is not supported or the size/length is exceeded

Severity: Warning

Resolution: If the operation did not complete, correct the parameter value in the request body and resubmit the request.

Base.0.10.ActionParameterValueTypeError

The parameter contains an incorrect value type. For example, a number value for a string parameter type.

Severity: Warning

Resolution: If the operation did not complete, correct the parameter value in the request body and resubmit the request.

Base.0.10.CouldNotEstablishConnection

An attempt to access the resource, image, or file at the URI was unsuccessful because a session could not be established.

Severity: Critical

Resolution: Verify that the URI contains a valid and reachable node name, protocol information, and other URI components.

Base.0.10.CreateFailedMissingReqProperties

A create operation was attempted on a resource, but a required property was missing from the request.

Severity: Critical

Resolution: If the operation did not complete, include the required property with a valid value in the request body and resubmit the request.

Base.0.10.CreateLimitReachedForResource

No more resources can be created.

Severity: Critical

Resolution: If the operation did not complete, delete resources and resubmit the request.

Base.0.10.Created

The resource has been created successfully.

Severity: OK

Resolution: None

Base.0.10.EventSubscriptionLimitExceeded

The event subscription establishment has been requested, but the operation did not complete because the number of simultaneous subscriptions exceeded the maximum number allowed by the implementation.

Severity: Critical

Resolution: Before attempting to establish the event subscription, reduce the number of subscriptions or increase the maximum number of simultaneous subscriptions allowed (if supported).

Base.0.10.InsufficientPrivilege

The account or credentials associated with the current session are not authorized to perform the requested operation.

Severity: Critical

Resolution: Retry the operation with an authorized account or credentials.

Base.0.10.InternalError

The request did not complete due to an unknown internal error, but the service is still operational.

Severity: Critical

Resolution: Resubmit the request. If the problem persists, consider resetting the service.

Base.0.10.InvalidObject

The object is not valid.

Severity: Critical

Resolution: If the operation did not complete, the object is malformed or the URI is incorrect. Make the appropriate corrections and resubmit the request.

Base.0.10.MalformedJSON

The request body contains malformed JSON.

Severity: Critical

Resolution: Verify that the request body is valid JSON and resubmit the request.

Base.0.10.NoValidSession

The operation did not complete because a valid session is required in order to access resources.

Severity: Critical

Resolution: Establish a session before attempting any operations.

Base.0.10.PropertyDuplicateA duplicate property is in the request body.Severity: WarningResolution: If the operation did not complete, remove the duplicate property from the request body and resubmit the request.

Base.0.10.PropertyMissing

The request does not include a required property.

Severity: Warning

Resolution: If the operation did not complete, verify the property is in the request body and has a valid value.

Base.0.10.PropertyNotWritable

The request included a value for a read-only property.

Severity: Warning

Resolution: If the operation did not complete, remove the property from the request body and resubmit the request.

Base.0.10.PropertyUnknown

An unknown property is in the request body.

Severity: Warning

Resolution: If the operation did not complete, remove the unknown property from the request body and resubmit the request.

Base.0.10.PropertyValueFormatError

The value type is correct, but the format is not supported or the size/length is exceeded.

Severity: Warning

Resolution: If the operation did not complete, correct the property value in the request body and resubmit the request.

Base.0.10.PropertyValueNotInList

The value type is correct, but the value is not supported.

Severity: Warning

Resolution: If the operation did not complete, choose a value from the enumeration list and resubmit your request.

Base.0.10.PropertyValueTypeError

The property value contains an incorrect property type. For example, a number value for a string property type.

Severity: Warning

Resolution: If the operation did not complete, correct the property value in the request body and resubmit the request.

Base.0.10.QueryNotSupported

The query is not supported by the implementation.

Severity: Warning

Resolution: If the operation did not complete, remove the query parameter and resubmit the request.

Base.0.10.QueryNotSupportedOnResource

The query is not supported on the resource. For example, a start/count query is attempted on a resource that is not a collection.

Severity: Warning

Resolution: If the operation did not complete, remove the query parameters and resubmit the request.

Base.0.10.QueryParameterOutOfRange

The query parameter value is out of range for the resource. For example, a page is requested that is outside the valid page range.

Severity: Warning

Resolution: Specify a query parameter value that is within range. For example, a page that is within the valid range of pages.

Base.0.10.QueryParameterValueFormatError

The value type is correct, but the format is not supported or the size/length was exceeded.

Severity: Warning

Resolution: If the operation did not complete, correct the value for the query parameter in the request body and resubmit the request.

Base.0.10.QueryParameterValueTypeError

The query parameter contains an incorrect value type. For example, a number supplied for a query parameter that requires a string.

Severity: Warning

Resolution: If the operation did not complete, correct the value for the query parameter in the request body and resubmit the request.

Base.0.10.ResourceAlreadyExists

The create resource operation did not complete because the resource already exists.

Severity: Critical

Resolution: Do not attempt the create operation because the resource already exists.

Base.0.10.ResourceAtUriInUnknownFormat

The URI is valid, but the resource or image at that URI is in a format that is not supported by the service.

Severity: Critical

Resolution: Place a resource, image, or file that is supported by the service at the URI.

Base.0.10.ResourceAtUriUnauthorized

An attempt to access the resource, image, or file at the URI is unauthorized.

Severity: Critical

Resolution: Verify that the appropriate access is provided for the service to access the URI.

Base.0.10.ResourceCannotBeDeleted

A delete operation was attempted on a resource that cannot be deleted.

Severity: Critical

Resolution: Do not attempt to delete a resource that does not support the REST API DELETE operation.

Base.0.10.ResourceInUse

The request to change the resource was rejected because the resource was in use or in transition.

Severity: Warning

Resolution: If the operation did not complete, wait until the resource is free and resubmit the request.

Base.0.10.ResourceMissingAtURI

The operation expected an image or resource at the provided URI, but found none.

Severity: Critical

Resolution: Place a valid resource at the URI or correct the URI and resubmit the request.

Base.0.10.ServiceInUnknownState

The operation did not complete because the service is in an unknown state and cannot take incoming requests.

Severity: Critical

Resolution: If the operation did not complete, restart the service and resubmit the request.

Base.0.10.ServiceShuttingDown

The operation did not complete because the service is shutting down.

Severity: Critical

Resolution: If the operation did not complete, resubmit the request when the service is available.

Base.0.10.ServiceTemporarilyUnavailable

The service is temporarily unavailable.

Severity: Critical

Resolution: Wait for the indicated retry duration and retry the operation.

Base.0.10.SessionLimitExceeded

Session establishment has been requested, but the operation did not complete because the number of simultaneous sessions exceeded the maximum number allowed by the implementation.

Severity: Critical

Resolution: Before attempting to establish the session, reduce the number of sessions or increase the maximum number of simultaneous sessions allowed (if supported).

Base.0.10.SourceDoesNotSupportProtocol

While attempting to access, connect to, or transfer from another location, the other end of the connection did not support the specified protocol.

Severity: Critical

Resolution: Change protocols or URIs.

Base.0.10.Success

The operation completed successfully.

Severity: OK

Resolution: None

Base.0.10.UnrecognizedRequestBody

The service detected a request body with malformed JSON.

Severity: Warning

Resolution: If the operation did not complete, correct the request body and resubmit the request.

HpCommon.0.10.ArrayPropertyOutOfBound

The items in the array exceed the maximum number supported.

Severity: Warning

Resolution: Retry the operation using the correct number of items for the array.

HpCommon.0.10.ConditionalSuccess

A property value was successfully changed but the change may be reverted upon system reset.

Severity: Warning

Resolution: Check the 'SettingsResult' messages after the system has reset for errors referring to the corresponding property.

HpCommon.0.10.InternalErrorWithParam

The operation was not successful due to an internal service error (shown), but the service is still operational.

Severity: Critical

Resolution: Retry the operation. If the problem persists, consider resetting the service.

HpCommon.0.10.InvalidConfigurationSpecified

The specified configuration is not valid.

Severity: Warning

Resolution: Correct the configuration, and then retry the operation.

HpCommon.0.10.PropertyValueExceedsMaxLength

The value for the property exceeds the maximum length.

Severity: Warning

Resolution: Correct the value for the property in the request body, and then retry the operation.

HpCommon.0.10.PropertyValueIncompatible

The value for the property is the correct type, but this value is incompatible with the current value of another property.

Severity: Warning

Resolution: Correct the value for the property in the request body, and then retry the operation.

HpCommon.0.10.PropertyValueOutOfRange

The value for the property is out of range.

Severity: Warning

Resolution: Correct the value for the property in the request body, and then retry the operation.

HpCommon.0.10.ResetInProgress

A device or service reset is in progress.

Severity: Warning

Resolution: Wait for device or service reset to complete, and then retry the operation.

HpCommon.0.10.ResetRequired

One or more properties were changed, but these changes will not take effect until the device or service is reset.

Severity: Warning

Resolution: To enable the changed properties, reset the device or service.

HpCommon.0.10.ResourceNotReadyRetry

The resource is present but is not ready to perform operations due to an internal condition such as initialization or reset.

Severity: Warning

Resolution: Retry the operation when the resource is ready.

HpCommon.0.10.SuccessFeedback

The operation completed successfully

Severity: OK

Resolution: None

HpCommon.0.10.TaskCreated

A task was created in response to the operation.

Severity: OK

Resolution: Perform an HTTP GET request on the supplied URI for task status.

HpCommon.0.10.UnsupportedHwConfiguration

A previously requested property value change was reverted because the current hardware configuration does not support it.

Severity: Warning

Resolution: Ensure that the system's hardware configuration supports the property value.

iLO.0.10.AHSDisabled

Modifying AHS properties is not possible with AHS disabled.

Severity: Warning

Resolution: Enable AHS, and then modify the AHS properties.

iLO.0.10.Accepted

Indicates that one or more properties were correctly changed, but may not be in effect yet.

Severity: OK

Resolution: None

iLO.0.10.ActionParameterValueNotInList

Indicates that the correct value type was supplied for the action parameter, but the value is not supported. (The value is not in the enumeration list.)

Severity: Warning

Resolution: Choose a value from the enumeration list and resubmit the request if the operation failed.

iLO.0.10.AlertMailFeatureDisabled

AlertMail feature is disabled.

Severity: Warning

Resolution: Enable AlertMail feature to send test alert message.

iLO.0.10.ArrayPropertyOutOfBound

The number of items in the array exceeds the maximum number supported.

Severity: Warning

Resolution: Retry the operation using the correct number of items for the array.

iLO.0.10.CannotRemoveLicense

Cannot remove iLO Standard/iLO Standard for BladeSystem license.

Severity: Warning

Resolution: None.

iLO.0.10.DemoLicenseKeyPreviouslyInstalled

A demo license was previously installed.

Severity: Warning

Resolution: None.

iLO.0.10.DeviceResetRequired

Indicates that one or more properties were correctly changed, but will not take effect until device is reset.

Severity: Warning

Resolution: Reset the device for the settings to take effect.

iLO.0.10.DiagsTestAlreadyRunning

A diagnostics self test is already running.

Severity: Warning

Resolution: Stop the running test and try again.

iLO.0.10.ESKMServersNotConfigured

Enterprise Secure Key Manager Servers are not configured.

Severity: OK

Resolution: None.

iLO.0.10.ETagTooLong

The supplied ETag is too long. The maximum supported ETag length is 63 bytes.

Severity: Warning

Resolution: Retry the operation using an ETag with a length of 63 bytes or less.

iLO.0.10.EmptyDNSName

DNS name is empty.

Severity: Warning

Resolution: Retry the request with a valid DNS name.

iLO.0.10.ErrorIntializingESKM

Failed to initialize ESKM.

Severity: Warning

Resolution: Check if Account Group, Local CA Certificate Name, Login Name and Password are correct and try again.

iLO.0.10.EventLogCleared

Event log cleared successfully.

Severity: OK

Resolution: None.

iLO.0.10.EventSubscriptionModified

The event subscription was modified successfully.

Severity: OK

Resolution: None.

iLO.0.10.EventSubscriptionRemoved

The event subscription was removed successfully.

Severity: OK

Resolution: None.

iLO.0.10.ExtendedInfo

Indicates that extended information is available.

Severity: OK

Resolution: See @Message.ExtendedInfo for more information.

iLO.0.10.FWFlashSuccessTPMOverrideEnabled

A Trusted Platform Module is installed in the system and TPMOverrideFlag is enabled. Firmware flash initiated.

Severity: OK

Resolution: None.

iLO.0.10.FWFlashSuccessTrustedModuleOverrideEnabled

A Trusted Module (type unspecified) is installed in the system and TPMOverrideFlag is enabled. Firmware flash initiated.

Severity: OK

Resolution: None.

iLO.0.10.FWFlashTPMOverrideFlagRequired

A Trusted Platform Module is installed in the system, TPMOverrideFlag is required for firmware flash to proceed.

Severity: Warning

Resolution: Please set the TPMOverrideFlag to true and try again.

iLO.0.10.FWFlashTrustedModuleOverrideFlagRequired

A Trusted Module (type unspecified) is installed in the system, TPMOverrideFlag is required for firmware flash to proceed.

Severity: Warning

Resolution: Please set the TPMOverrideFlag to true and try again.

iLO.0.10.FirmwareFlashAlreadyInProgress

A firmware upgrade operation is already in progress.

Severity: Warning

Resolution: Wait for the current firmware flash to complete, and then retry the operation.

iLO.0.10.GeneratingCertificate

Generating the X509 Certificate.

Severity: OK

Resolution: None.

iLO.0.10.ICRUNotSupported

ICRU feature or function is not supported on the system.

Severity: Warning

Resolution: None.

iLO.0.10.IPv6ConfigurationError

The specified IPv6 configuration caused an error.

Severity: Warning

Resolution: Resolve the indicated error in the configuration data.

iLO.0.10.ImportCertSuccessfuliLOResetinProgress

Import Certificate was successful hence iLO needs to be reset. So automatic iLO reset is performed to enable the new certificate.

Severity: Warning

Resolution: None.

iLO.0.10.ImportCertificateFailed

Failed importing Certificate.

Severity: Warning

Resolution: Retry the operation with proper Certificate information.

iLO.0.10.ImportSSOParamError

Not a valid parameter.

Severity: Warning

Resolution: Retry the request with valid parameters.

iLO.0.10.ImportSSOUriError

Not a valid Uri to import SSO certificate.

Severity: Warning

Resolution: Retry the request with valid URI.

iLO.0.10.IndicatorLedInvalidStateChange

The request to change the state of the Indicator LED cannot be granted because the current state is either Blinking or is Unknown.

Severity: Warning

Resolution: Please wait until the server has completed its reserved state.

iLO.0.10.InternalErrorWithParam

The operation was not successful due to an internal service error (shown), but the service is still operational.

Severity: Critical

Resolution: Retry the operation. If the problem persists, consider resetting the service.

iLO.0.10.InvalidConfigurationSpecified

The specified configuration is not valid.

Severity: Warning

Resolution: Correct the configuration, and then retry the operation.

iLO.0.10.InvalidConfigurationSpecifiedForFederation

iLO Federation Management cannot be supported in the current configuration.

Severity: Warning

Resolution: Review the iLO network settings or Onboard Administrator settings and refer to the iLO User Guide.

iLO.0.10.InvalidEngineID

EngineID should be a hexadecimal number starting with 0x (for example, 0x0102030405abcdef). The string length should be an even number, greater than or equal to 6 characters (excluding the '0x'), and less than or equal to 32 characters.

Severity: Warning

Resolution: Retry the operation using an EngineID within the specified parameters.

iLO.0.10.InvalidIndex

The Index is not valid.

Severity: Warning

Resolution: Adhere to the indexes supported in the self links.

iLO.0.10.InvalidLicenseKey

The license key is not valid.

Severity: Warning

Resolution: Retry the operation using a valid license key.

iLO.0.10.InvalidOperationForAutoPowerOnState

The operation was not successful because the current auto power on mode specifies power is to remain off.

Severity: Warning

Resolution: Verify that the system auto power on mode is set to turn power on or follow the previous power setting.

iLO.0.10.InvalidOperationForSystemState

The operation was not successful due to the current power state (for example, attempting to turn the power off when it is already off).

Severity: Warning

Resolution: Verify that the system is in the correct power state, and then retry the operation.

iLO.0.10.InvalidPassphraseLength

The passphrase must contain 8 to 49 characters.

Severity: Warning

Resolution: Correct the passphrase, and then retry the operation.

iLO.0.10.InvalidPasswordLength

The password length is not valid.

Severity: Critical

Resolution: Retry the operation using a corrected password.

<iLO.0.10.LicenseKeyNotSupported

The use of a license key is not supported on this system.

Severity: Warning

Resolution: None.

iLO.0.10.LicenseKeyRequired

An iLO license key is required to use this operation or feature.

Severity: Warning

Resolution: Install a license key (Advanced or Scale Out) to use this feature.

iLO.0.10.LoginAttemptDelayed

The login was not successful, so the service enforces a delay before another login is allowed.

Severity: Warning

Resolution: Wait for the delay time to expire, and then retry the login.

iLO.0.10.LoginAttemptDelayedSeconds

The login was not successful, so the service enforces a delay before another login is allowed.

Severity: Warning

Resolution: None.

iLO.0.10.MaxProviders

The maximum number of providers are already registered.

Severity: Warning

Resolution: None.

iLO.0.10.MaxVirtualMediaConnectionEstablished

No more Virtual Media connections are available, because the maximum number of connections are already established.

Severity: Warning

Resolution: Close an established Virtual Media connection, and then retry creating or opening another connection.

iLO.0.10.MembistVariablesNotSupported

Membist variables are not supported on the system.

Severity: Warning

Resolution: None.

iLO.0.10.NoEventSubscriptions

There are no event subscriptions registerd.

Severity: Warning

Resolution:

iLO.0.10.NoPowerMetering

No support for power metering available on platform.

Severity: OK

Resolution: Enable Power Metering on platform if supported.

iLO.0.10.NoSNMPAlertDestinationsConfigured

No SNMP alert destinations are configured.

Severity: Warning

Resolution: Disable SNMP pass-thru, modify the property, and then re-enable SNMP pass-thru.

iLO.0.10.NoSamples

No power history samples are available.

Severity: OK

Resolution: To accumulate power history samples, power on the server, and then wait at least 5 minutes.

iLO.0.10.NoSpaceforDNSName

No space to store DNS name.

Severity: Warning

Resolution: Make sure SSO database has enough space to store DNS name.

iLO.0.10.NoVirtualMediaConnectionAvailable

No Virtual Media connections exist to perform the operation.

Severity: Warning

Resolution: Create or open a Virtual Media connection, and then retry the operation.

iLO.0.10.NotSupportedOnNIC

This property is not supported by the indicated network port.

Severity: Warning

Resolution: Do not specify this property on the indicated network port.

iLO.0.10.NotValidIPAddrOrDNS

The value for the property is not a valid IPv4/v6 address or DNS name.

Severity: Warning

Resolution: Correct the IPv4/v6 address or DNS name, and then retry the operation.

iLO.0.10.NotValidIPAddress

The value for the property is not a valid IP address.

Severity: Warning

Resolution: Use a valid IP address.

iLO.0.10.NotValidSubnetMask

The value for the property is not a valid subnet mask.

Severity: Warning

Resolution: Use a valid subnet mask.

iLO.0.10.PowerCapOACntrld

The enclosure Onboard Administrator is currently managing the power cap.

Severity: Warning

Resolution: Use Onboard Administrator to Manage the PowerCap

iLO.0.10.PowerCapROMCntrld

The System ROM is currently managing the power cap.

Severity: Warning

Resolution: Enable HP RESTful API management of the power cap in System ROM

iLO.0.10.PowerValueBadParam

The power cap value is not valid.

Severity: Warning

Resolution: Retry the operation using a corrected value.

iLO.0.10.PowerValueInvalidCalibrationData

The request to set the power cap failed. Invalid power cap calibration data. The Power Cap feature is currently unavailable.

Severity: Warning

Resolution: Restart the server to retrieve calibration data from initial POST.

iLO.0.10.PowerValueNotOptimal

Power caps set for less than 50% of the difference between maximum and minimum power may become unreachable due to changes in the server. Power caps set for less than 20% are not recommended.

Severity: Warning

Resolution: Please provide an optimal value in integer considering the power cap range.

iLO.0.10.PowerValueUnAvailable

Advanced power capping is not currently available due to the system configuration or state.

Severity: Warning

Resolution: Change the system configuration or wait for the system to become fully initialized, and then retry the operation.

iLO.0.10.PowerValueUnSupported

Advanced power capping is not supported on this system.

Severity: Warning

Resolution: None.

iLO.0.10.PrimaryESKMServerAccessible

Only the primary ESKM server is accessible.

Severity: OK

Resolution: None.

iLO.0.10.PrimarySecondaryAddressesResolveToSameServer

Primary and secondary ESKM server addresses resolve to the same server.

Severity: OK

Resolution: None.

iLO.0.10.PrimarySecondaryESKMServersAccessible

Both primary and secondary ESKM servers are accessible.

Severity: OK

Resolution: None.

iLO.0.10.PropertyValueBadParam

The property value is not valid.

Severity: Warning

Resolution: Retry the operation using a corrected value.

iLO.0.10.PropertyValueExceedsMaxLength

The value for the property exceeds the maximum length.

Severity: Warning

Resolution: Correct the value for the property in the request body, and then retry the operation.

iLO.0.10.PropertyValueIncompatible

The value for the property is the correct type, but this value is incompatible with the current value of another property.

Severity: Warning

Resolution: Correct the value for the property in the request body, and then retry the operation.

iLO.0.10.PropertyValueOutOfRange

The value for the property is out of range.

Severity: Warning

Resolution: Correct the value for the property in the request body, and then retry the operation.

iLO.0.10.PropertyValueRequired

Indicates that a property was required but not specified.

Severity: Warning

Resolution: Include the required property in the request body and then retry the operation.

iLO.0.10.RepairNotSupported

IML event with this severity is not supported to be repaired. IML events with Critical or Warning severities can marked as repaired.

Severity: Warning

Resolution: Please do not try to repair IML events with severity other than Critical or Warning.

iLO.0.10.RequiredPropertyMissing

Indicates that a required property is not specified.

Severity: Warning

Resolution: Include the required property in the request body and then retry the operation.

iLO.0.10.ResetInProgress

An iLO reset is in progress.

Severity: Warning

Resolution: Wait for iLO reset to complete, and then retry the operation.

iLO.0.10.ResetRequired

One or more properties were changed, but these changes will not take effect until the iLO is reset.

Severity: Warning

Resolution: To enable the changed properties, reset the iLO.

iLO.0.10.ResourceBeingFlashed

The change to the requested resource failed because the resource is being flashed.

Severity: Warning

Resolution: Retry the operation when the firmware upgrade has completed.

iLO.0.10.ResourceInUseWithDetail

The change could not be made because the resource was in use or in a transitioning state.

Severity: Warning

Resolution: Retry the request.

iLO.0.10.ResourceTemporarilyUnavailable

The resource is temporarily unavailable because the firmware is being flashed.

Severity: Warning

Resolution: Retry the operation when the firmware upgrade has completed.

iLO.0.10.SMBIOSRecordNotFound

The SMBIOS record type is not found or is not supported on the system.

Severity: Warning

Resolution: Reset the system to update the SMBIOS records. If the problem persists then the SMBIOS record type is not supported.

iLO.0.10.SNMPAgentlessEnabled

Modifying SNMP properties is not possible while SNMP is configured in Agentless mode.

Severity: Warning

Resolution: Disable Agentless mode, modify the properties, and then re-enable Agentless mode.

iLO.0.10.SNMPAlertDisabled

The operation could not be completed because SNMP alerts are disabled.

Severity: Warning

Resolution: Enable SNMP alerts and retry the operation.

iLO.0.10.SNMPDisabled

Modifying SNMP properties is not possible with SNMP disabled.

Severity: Warning

Resolution: Enable SNMP, and then modify the SNMP properties.

iLO.0.10.SNMPPassthruEnabled

Modifying SNMP properties is not possible while SNMP is configured in pass-thru mode.

Severity: Warning

Resolution: Configure SNMP 'Agentless' mode, modify the property, and then re-configure SNMP for 'Passthru' mode.

iLO.0.10.SNMPTestAlertFailed

The SNMP Test Alert did not send successfully.

Severity: Warning

Resolution: Verify the test alert content and retry.

iLO.0.10.SNTPConfigurationManagedByDHCPAndIsReadOnly

SNTP configuration is currently managed by DHCP and is therefore read-only.

Severity: Warning

Resolution: Disable SNTP configuration options in both DHCPv4 and DHCPv6 (see /Managers/n/NICs), and then reconfigure SNTP as desired with static settings.

iLO.0.10.SSOCertficateEmpty

SSO Certificate is Empty.

Severity: Warning

Resolution: None.

iLO.0.10.SSOCertificateReadError

SSO Certificate Read Error.

Severity: Warning

Resolution: Retry the request with valid SSO certificate.

iLO.0.10.SSONoSpaceError

No space to store SSO certificate.

Severity: Warning

Resolution: Make sure SSO database has enough space to store SSO certificate.

iLO.0.10.SSORecordNotFound

SSO Record Not Found.

Severity: Warning

Resolution: None.

iLO.0.10.SecondaryESKMServerAccessible

Only the secondary ESKM server is accessible.

Severity: OK

Resolution: None.

iLO.0.10.SuccessFeedback

The operation completed successfully.

Severity: OK

Resolution: None

iLO.0.10.SyslogFeatureDisabled

Remote Syslog feature is disabled.

Severity: Warning

Resolution: Enable remote syslog feature to send test syslog message.

iLO.0.10.SystemResetRequired

The system properties were correctly changed, but will not take effect until the system is reset.

Severity: Warning

Resolution: Reset system for the settings to take effect.

iLO.0.10.TokenRequired

Proper 'X-HPRESTFULAPI-AuthToken' authorization token not provided.

Severity: Critical

Resolution: Create proper 'X-HPRESTFULAPI-AuthToken' authorization token. Send token in using the proper HTTP header.

iLO.0.10.UnableModifyRights

Unable to modify user rights.

Severity: Warning

Resolution: None.

iLO.0.10.UnableToModifyDueToMissingComponent

The value for the property cannot be changed because a related hardware component is not installed.

Severity: Warning

Resolution: Install the hardware component and retry the operation.

iLO.0.10.UnableToModifyDuringSystemPOST

The value for the property cannot be changed while the computer system BIOS is in POST.

Severity: Warning

Resolution: After the computer system is either fully booted or powered off, retry the operation.

iLO.0.10.UnauthorizedLoginAttempt

The login was not successful, because the supplied credentials could not be authorized.

Severity: Warning

Resolution: Log in with authorized user name and password credentials.

iLO.0.10.UnsupportedOperation

This operation is not supported by RIS for the current system.

Severity: Warning

Resolution: None.

iLO.0.10.UnsupportedOperationInLegacyBootMode

This operation is not supported when the system Boot Mode is set to Legacy BIOS.

Severity: Warning

Resolution: Change the Boot Mode to UEFI and retry the operation.

iLO.0.10.UnsupportedOperationInSystemBIOS

This operation is not supported by the current version of the system BIOS.

Severity: Warning

Resolution: None.

iLO.0.10.UserAlreadyExist

The user or login user name already exists.

Severity: Warning

Resolution: Try a different user or login user name.

iLO.0.10.UserNameAlreadyExists

Duplicate SNMPv3 User.

Severity: Warning

Resolution: Enter a different name and try again.

iLOEvents.0.9.AdapterConfigurationChange

Severity: Ok

Resolution: None

iLOEvents.0.9.CorrectableOrUncorrectableMemoryErrors

Correctable or uncorrectable Memory Errors Detected. Correctable errors have been corrected, but the memory module should be replaced. Value 0 for CPU means memory is not Processor based.

Severity: Warning

Resolution: Replace the failing memory module.

iLOEvents.0.9.DeviceDiscoveryStatus

The server device discovery status has changed.

Severity: OK

Resolution: None.

iLOEvents.0.9.FanDegraded

The fault tolerant fan condition has been set to degraded for the specified chassis and fan.

Severity: Critical

Resolution: Replace the failing fan.

iLOEvents.0.9.FanFailed

The fault tolerant fan condition has been set to failed for the specified chassis and fan.

Severity: Critical

Resolution: Replace the failed fan.

iLOEvents.0.9.FanInserted

A fault tolerant fan has been inserted into the specified chassis and fan location.

Severity: OK

Resolution: None.

iLOEvents.0.9.FanRedundancyLost

The fault tolerant fans have lost redundancy for the specified chassis.

Severity: Warning

Resolution: Check the system fans for a failure.

iLOEvents.0.9.FanRedundancyRestored

The fault tolerant fans have returned to a redundant state for the specified chassis.

Severity: OK

Resolution: None.

iLOEvents.0.9.FanRemoved

A fault tolerant fan has been removed from the specified chassis and fan location.

Severity: Warning

Ilo 4 Error Installing License Demo License Previously Installed

Resolution: None.

iLOEvents.0.9.FirmwareFlashStatusChanged

The firmware flash status has changed

Severity: OK

Resolution: None.

iLOEvents.0.9.ILOToInsightRemoteSupportCommunicationFailure

iLO to Insight Remote Support or Insight Online communication failed.

Severity: Warning

Resolution: Please check the connectivity to Insight Remote Support or Insight Online Host.

iLOEvents.0.9.IndicatorLEDStateChanged

The state of the indicator LED has changed

Severity: OK

Resolution: None.

iLOEvents.0.9.MirroredMemoryEngaged

Advanced Memory Protection Mirrored Memory Engaged. The Advanced Memory Protection subsystem has detected a memory fault. Mirrored Memory has been activated.

Severity: Warning

Resolution: Replace the faulty memory.

iLOEvents.0.9.POSTErrorsOccurred

One or more POST errors occurred. Power On Self-Test (POST) errors occur during the server restart process. Details of the POST error messages can be found in Integrated Management Log

Severity: Warning

Resolution: Refer to the Integrated Management Log for details on the Power on self-test error.

iLOEvents.0.9.PowerRedundancyLost

The fault tolerant power supplies have lost redundancy for the specified chassis.

Severity: Warning

Resolution: Check the system power supplies for a failure.

iLOEvents.0.9.PowerRedundancyRestored

The fault tolerant power supplies have returned to a redundant state for the specified chassis.

Severity: OK

Resolution: None.

iLOEvents.0.9.PowerSupplyACPowerLoss

Power supply AC power loss for the specified chassis and bay location.

Severity: Critical

Resolution: Check the power source for the specified power supply.

iLOEvents.0.9.PowerSupplyDegraded

The fault tolerant power supply condition has been set to degraded for the specified chassis and bay location.

Severity: Critical

Resolution: Replace the failing power supply.

iLOEvents.0.9.PowerSupplyFailed

The fault tolerant power supply condition has been set to failed for the specified chassis and bay location.

Severity: Critical

Resolution: Replace the failed power supply.

iLOEvents.0.9.PowerSupplyInserted

A fault tolerant power supply has been inserted into the specified chassis and bay location.

Severity: OK

Resolution: None.

iLOEvents.0.9.PowerSupplyOK

The fault tolerant power supply condition has been set back to the OK state for the specified chassis and bay location.

Severity: OK

Resolution: None.

iLOEvents.0.9.PowerSupplyRemoved

A fault tolerant power supply has been removed from the specified chassis and bay location.

Severity: Warning

Resolution: None.

iLOEvents.0.9.ResourceAdded

Resource added.

Severity: OK

Resolution: None.

iLOEvents.0.9.ResourceRemoved

Resource removed.

Severity: OK

Resolution: None.

iLOEvents.0.9.ResourceStatusChanged

Resource status changed.

Severity: OK

Resolution: None.

iLOEvents.0.9.ResourceUpdated

Resource updated.

Severity: OK

Resolution: None.

iLOEvents.0.9.SNMPAuthenticationFailure

An unauthorized user attempted to access the iLO via SNMP

Severity: OK

Resolution: None.

iLOEvents.0.9.SecurityOverrideDisengaged

Security override disengaged. iLO firmware has detected the security override jumper has been toggled to the disengaged position.

Severity: OK

Resolution: None.

iLOEvents.0.9.SecurityOverrideEngaged

Security override engaged. iLO firmware has detected the security override jumper has been toggled to the engaged position.

Severity: OK

Resolution: None.

iLOEvents.0.9.ServerHardwareSignatureChanged

The server hardware signature has changed. This can be caused by addition or removal of Mezziane cards or relocation of the server.

Severity: OK

Resolution: None.

iLOEvents.0.9.ServerOperational

The server is operational again. The server has previously been shutdown due to a thermal anomaly on the server and has just become operational again.

Severity: Warning

Resolution: None.

iLOEvents.0.9.ServerPostComplete

The server has reached Power On Self Test complete.

Severity: OK

Resolution: None.

iLOEvents.0.9.ServerPowerOnFailure

A request was made to power on the server, however the server could not be powered on due to a failure condition.

Severity: Critical

Resolution: None.

iLOEvents.0.9.ServerPoweredOff

The server has been powered off.

Severity: OK

Resolution: None.

iLOEvents.0.9.ServerPoweredOn

The server has been powered on.

Severity: OK

Resolution: None.

iLOEvents.0.9.ServerResetDetected

Server Reset Detected. iLO firmware has detected a server reset.

Severity: Critical

Resolution: None.

piLOEvents.0.9.SystemBatteryFailed

The system battery condition has been set to failed for the specified chassis and index location.

Severity: Warning

Resolution: Replace the failed battery.

iLOEvents.0.9.SystemBatteryRemoved

The system battery condition has removed for the specified chassis and index location.

Severity: Warning

Resolution: None.

iLOEvents.0.9.ThermalStatusDegradedSysContinue

The temperature status has been set to degraded in the specified chassis and location. The server's temperature is outside of the normal operating range.

Severity: Critical

Resolution: Check the system for hardware failures and verify the environment is properly cooled.

iLOEvents.0.9.ThermalStatusDegradedSysShutdown

The temperature status has been set to degraded in the specified chassis and location. The server's temperature is outside of the normal operating range.

Severity: Critical

Resolution: Check the system for hardware failures and verify the environment is properly cooled.

iLOEvents.0.9.ThermalStatusOK

The temperature status has been set to ok in the specified chassis and location. The server's temperature has returned to the normal operating range.

Severity: OK

Resolution: None.

iLOEvents.0.9.UnauthorizedLoginAttempts

iLO firmware has detected multiple unauthorized login attempts.

Severity: OK

Resolution: Check the iLO log for more information on the login failure.

iLOEvents.0.9.iLOReset

iLO reset pending

Severity: OK

Resolution: None.

Base.0.10.AccountNotModified

The request was unable to modify the account.

Severity: Warning

Resolution: If the operation did not complete, check the authorization or the request body for issues and resubmit the request.

Base.0.10.AccountRemoved

The account was removed successfully.

Severity: OK

Resolution: None.

Privileged Password Management Solution, Secure Password Manager

Web-Interface, Authentication

Security

1. How can I generate a unique SSL certificate for MySQL server? (Steps applicable for PMP 6500 onwards)

Password Synchronization

Backup & Disaster Recovery

Troubleshooting & General Tips

Licensing

Web Interface, Authentication

1. Can I change the default port 7272 occupied by PMP?

Yes, you can change the default port as explained below:

• Go to <PMP_Installation_Folder>conf directory and open the server.xml file
• Replace the entry '7272' with the port number of your choice. Note that there will be 7272 entries within comments too and all should be replaced.

2. Why are my users not notified of their PMP accounts?

Users are notified of their PMP accounts only through email. If they do not get the notification email, check

• if you have configured the mail server settings properly with the details of the SMTP server in your environment
• if you have provided valid credentials as part of mail server settings, as some mail servers require them for mails to be sent
• if the 'Sender E-Mail ID' is properly configured as some mail servers reject emails sent without the from address or mails originating from unknown domains

3. What are the authentication schemes available in PMP?

You can use one of the following three mechanisms:

Active Directory: When enabled, the authentication request is forwarded to the configured domain controller and based on the result, the user is allowed or denied access into PMP. The user name, password and the domain are supplied in the PMP login screen. This scheme works only for users whose details have been imported previously from AD. Available only when PMP server is installed on Windows system.

LDAP Directory: When enabled, the authentication request is forwarded to the configured

LDAP directory server and based on the result, the user is allowed or denied access into PMP. The user name and password and the option to use LDAP authentication are supplied in the PMP login screen. This scheme works only for users whose details have been imported previously from the LDAP directory

PMP Local Authentication: The authentication is done locally by the PMP server. Irrespective of AD or LDAP authentication being enabled, this scheme is always available for the users to choose in the login page. This scheme has a separate password for users and the AD or LDAP passwords are never stored in the PMP database.

4. What are the user roles available in PMP? What are their access levels?

PMP comes with three pre-defined roles:

• Administrators
• Password Administrators
• Password Users

Any administrator can be made as 'Super Administrator' with the privilege to view and manage all resources.Refer help documentation for details on access levels.

5. What if I forget my PMP login password?

PMP comes with three pre-defined roles:

If you were already given a valid PMP account, you can use the 'Forgot Password?' link available in the login page to reset the password. The user name/e-mail id pair supplied should match the one already configured for the user and in that case, the password will be reset for that user and the new password will be emailed to that email id.

6. Why does Internet Explorer 7 (and other browsers) complain while accessing PMP console?

PMP comes with three pre-defined roles:

The PMP web console always uses HTTPS to communicate with the PMP server. The PMP server comes with a default self-signed SSL certificate, which the standard web browsers will not recognize and issue a warning. Particularly IE 7's warning message appears serious. Ignoring this warning still guarantees encrypted communication between the PMP console and the server but if you want your users to be particularly sure that they are connecting only to the PMP server, you will need to install a SSL certificate that you have bought from a certificate authority, that is recognized by all standard web browsers.

Security

1. How secure are my passwords in PMP?

Ensuring the secure storage of passwords and offering high defence against intrusion are the mandatory requirements of PMP. The following measures ensure the high level security for the passwords:

• Passwords are encrypted using the Advanced Encryption Standard (AES), which is currently the strongest encryption algorithm, and stored in the database. (AES has been adopted as an encryption standard by the U.S. Government)
• The database which stores all the passwords accepts connections only from the host that it is running on and is not visible externally
• Role-based, fine-grained user access control mechanism ensures that the users are allowed to view the passwords based on the authorization provided
• All transactions between the PMP console and the server take place through HTTPS
• In-built Password Generator can help you generate strong passwords

For detailed information, refer to Product Security Specifications document.

2. How secure are the A-to-A, A-to-DB password management done through Password Management APIs?

The web API exposed by PMP forms the basis for Application-to-Application/Database Password Management in PMP. The applications connect and interact with PMP through HTTPS. The application's identity is verified by forcing it to issue a valid SSL certificate, matching the details already provided to PMP corresponding to that application.

3. Can we install our own SSL certificate? How?

The PMP runs as a HTTPS service. It requires a valid CA-signed SSL certificate with the principal name as the name of the host on which it runs. By default, on first time startup, it creates a self-signed certificate, which will not be trusted by the user browsers. Thus, while connecting to PMP, you need to manually verify the certificate information and the host name of PMP server carefully and should force the browser to accept the certificate.

To make the PMP server trusted by the web browsers and the users:

• Obtain a new signed certificate from a CA for the PMP host. [OR]
• Configure an existing certificate obtained from a CA with wild-card principal support for the PMP host.

There are different ways to generate the signed SSL certificates:

1. By using the 'Certificate Management' module of Password Manager Pro.
2. By using the OpenSSL or Keytool (bundled with Java) to create your certificates, get them signed by a CA and use them with PMP.
3. By installing a wild card certificate.

You can decide the mode of generating the signed SSL certificates based on what your security administrators recommend. The detailed steps for using each of the above methods are provided under the links below.

Note: If you already have a certificate signed by a CA, then we recommend using OpenSSL to create the keystore and configure it in PMP (steps 4 and 5 in the instructions below).

1. Generating Signed SSL certificates using OpenSSL

1. Generating Signed SSL certificates using the Certificate Management module of Password Manager Pro

You can generate signed SSL certificates through the Certificate Management module of Password Manager Pro and also apply the certificate changes (Certificate Keystore) directly from the Password Manager Pro console. This involves three processes:

1.1 Generating a Certificate Signing Request (CSR):

To request and acquire certificates from a Local CA through Password Manager Pro, you need to first generate a Certificate Signing Request (CSR). Here are the steps for the same:

1. Navigate to the 'Certificates→ Create CSR'.
2. Click the Create button. The Create CSR page is displayed.
3. Select either of the options Create CSR or Create CSR From KeyStore, based on whether you want to create a new CSR or create a CSR from an already existing private key, respectively.
   1. If you have selected Create CSR, fill in the details, such as Common Name, SAN, Organization Unit, Organization Location, State, Country, Key Algorithm and Key Size. Select the Key Algorithm and Keystore Type. Enter the Validity and Store Password.
   2. If you have selected Create CSR From KeyStore, browse and attach the required private key file along with the Private Key Password.
   3. Click the Create button. You will be redirected to a window where the CSR content is displayed. You can copy the CSR content or export it to a mailbox.
   • Email – Select this option to send the certificate file via email to the specified mail id.
   • Export CSR / Private Key - Select this option to export the CSR or the corresponding private key alone based on your requirement.

   View the saved CSRs under 'Certificates >> Create CSR'.
   Note: The 'show passphrase' eye icon corresponding to each CSR allows the administrators to view the KeyStore passwords of the CSR files.

1.2 Signing the Certificate:

Password Manager Pro provides the option to sign and issue certificates to all clients in your network either from your Microsoft Certificate Authority or using a custom root CA certificate that is trusted within your environment.

Note: Remember, you should have generated a valid Certificate Signing Request (CSR) before getting your certificate signed from the local CA.

Follow the below steps to sign the certificate:

1. Navigate to 'Certificates → Create CSR'.
2. Select the required CSR from the table and click Sign from the top menu.
3. In the pop-up window displayed, provide the name of the server that runs the internal certificate authority, CA Name and choose the certificate template based on your requirement. Click Sign Certificate. The CSR is signed now and the issued certificate can be viewed under 'Certificates >> Certificates'.

1.3 Applying the Certificate Keystore for Password Manager Pro web server:

To apply the certificate Keystore, first you need to create it.

1. Navigate to 'Certificates >> Certificates'. Click the signed certificate link under the heading Common Name. In the certificate details page displayed, click the Export icon present at the top right corner of the screen. The certificate file will be downloaded to your local machine.
2. Now, navigate to 'Certificates → Create CSR'.
3. Click the Import Certificate icon corresponding to the CSR of the signed certificate. Browse and choose the certificate file downloaded in your local machine and click Import. Now, the certificate will be bonded with the private key to form a Keystore.
4. Now navigate back to 'Certificates >> Certificates' and click the certificate link under the heading Common Name. In the certificate details page displayed, scroll down and click the Export link. This will download the certificate Keystore to your local machine.
5. The final step is to navigate to 'Admin >> Configuration >> Password Manager Pro Server' and do the following:
   1. Choose the Keystore Type as 'JKS' or 'PKCS12', whichever you chose while generating the CSR.
   2. Browse and upload the Keystore File.
   3. Enter the same Keystore Password, you entered while generating the CSR.
   4. Modify the Server Port, if required.
   5. Hit Save.

Restart the Password Manager Pro service once, for the certificate change to take effect.

2. Generating Signed SSL certificates using OpenSSL

OpenSSL mostly comes bundled with the Linux distributions. If you are using the Windows server and do not have OpenSSL installed, download it from http://www.slproweb.com/products/Win32OpenSSL.html. Make sure the 'bin' folder under the OpenSSL installation is included in the 'PATH' environment variable.

Step 1: The first step is to create the public-private key pair that will be used for the SSL handshake:

• Open the command prompt.
• Execute 'openssl genrsa -des3 -out <privatekey_filename>.key 1024'
  • <privatekey_filename> is the filename you specify to store the private key.
• You will be prompted to enter a pass-phrase for the private key. Enter 'passtrix' or a pass-phrase of your choice. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
• A file will be created in the name <privatekey_filename>.key in the same folder.

Step 2: Create a Certificate Signing Request (CSR) for submission to a certificate authority to create a signed certificate with the public key generated in the previous step:

• Execute 'openssl req -new -key <privatekey_filename>.key -out <certreq_filename>.csr'
  • <privatekey_filename>.key is the one used in the previous step.
  • <certreq_filename>.csr is the filename you specify to carry the certificate creation request to the CA (certificate authority).
• You will be prompted to enter a series of values that are part of the distinguished name (DN) of the server hosting PMP.
• Enter values as required. Importantly, for the 'Common Name' supply the fully qualified name of the server hosting PMP (with which it will be accessed through the browsers).
• A file will be created in the name <certreq_filename>.csr in the same folder.

Step 3 : Submit the CSR to a Certificate Authority (CA) to obtain a CA signed certificate

• Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting CSRs and this will involve a cost to be paid to the CA
• This process usually takes a few days time and you will be returned your signed SSL certificate and the CA's root certificate as .cer files
• Save them both in the same working folder where files from steps 1 and 2 are stored

Step 4: Import the CA-signed certificate to a keystore:

• Open command prompt and navigate to the same working folder.
• Execute 'openssl pkcs12 -export -in <cert_file>.cer -inkey <privatekey_filename>.key -out <keystore_filename>.p12 -name pmp -CAfile <root_cert_file>.cer -caname pmp -chain'

  where,

  • cert_file.cer is the signed SSL certificate with the .cer extension.
  • privatekey_filename.key is the private key file with a .key extension.
  • keystore_filename.p12 name is the keystore that will be generated with a .p12 extension.
  • root_cert_file.cer is the CA's root certificate with a .cer extension.
• When prompted for a password, enter the same password, you used in step 1 for the private key. This requirement is due to an inherent limitation in tomcat, which requires the two passwords to match.
• Now, a keystore file in the name <keystore_filename>.p12 will be generated in the same folder.

Step 5: Finally, configure the PMP server to use the keystore with your SSL certificate:

• Copy the <keystore_filename>.p12 generated in step 4 to the <PMP_Install_Folder>conf folder.
• Open command prompt and navigate to the <PMP_Install_Folder>conf folder.
• Open the file server.xml and do the following changes:
  • Search for the entry 'keystoreFile', which will have the default value set to 'conf/server.keystore'. Change the value to 'conf/<keystore_filename>.p12'.
  • Starting from version 9700, the keystore password is encrypted and cannot be updated directly in the server.xml file.¾In order to manually¾update the keystore password in the .xml file, disable the encryption first,¾by¾changing the value¾'keystorePassEncrypted=true' to 'keystorePassEncrypted=false'.

Note: This step is applicable only if you're using version 9700 or above.

• Now, set the value of 'keystorePass' to 'passtrix' or the password you specified in the previous step while creating the keystore.
• Add a new entry¾keystoreType='PKCS12' next to the keystorePass entry.
• Save the¾server.xml file.
• Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP.

3. Generating Signed SSL certificates using Keytool

Step 1: The first step is to create the public-private key pair that will be used for the SSL handshake:

• Go to the <PMP_Home>/jre/bin folder.
• Execute the command:
  './keytool -genkey -alias pmp -keyalg RSA -sigalg SHA256withRSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore <keystore_filename>

  where,
  <keystore_password> is the password to access the keystore, <privatekey_password> is the password to protect your private key. Note that due to an inherent limitation in tomcat, these two passwords have to be the same. (Though it is not documented, Tomcat has issues with passwords containing special characters, so use a password that has only alpha characters)
  <no_of_days> is the validity of the key pair in number of days, from the day it was created

• The above command will prompt you to enter details about you and your organization.

• For the 'first and the last name', enter the FQDN of the server where PMP is running.
• For other fields, enter the relevant details.
• A keystore file will be created in the name <keystore_filename> in the same folder, with the generated key pair.

Step 2: Create a Certificate Signing Request (CSR) for submission to a certificate authority to create a signed certificate with the public key generated in the previous step:

• Go to the <PMP_Home>/jre/bin folder.
• Execute the command: 'keytool -certreq -keyalg RSA -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore <keystore_filename>'.

Note: The <csr_filename> that you choose should have the .csr extension.

• A CSR file in the name <csr_filename> will be created in the same folder.

Step 3 : Submit the CSR to a Certificate Authority (CA) to obtain a signed certificate:

• Some of the prominent CAs are Verisign (http://verisign.com), Thawte (http://www.thawte.com), RapidSSL (http://www.rapidssl.com). Check their documentation / website for details on submitting the CSRs. Please nothe that this is a paid service.
• This process usually takes a few days of time. You will receive your signed SSL certificate and the CA's certificate as .cer files.
• Save both the files in the <PMP_Home>/jre/bin folder.

Step 4: Import the CA-signed certificate to the PMP server:

• Go to the <PMP_Home>/jre/bin folder using command prompt.
• If you have a single file as the certificate bundle(p7b), then run the below command:

'keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_bundle.p7b>'

where,

• <your_ssl_bundle> is the certificate bundle obtained from the CA, a .p7b file saved in the previous step. The <privatekey_password>,<keystore_password> and <keystore_filename> are the ones used in the previous steps.
• If you have 3 files, the root, the intermediate and the actual certificates in .cer format, then you need to import each one of them using the below commands.
  • 'keytool -import -alias root -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <root.cer>'
  • 'keytool -import -alias inter -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <inter.cer>'
  • 'keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore <keystore_filename> -trustcacerts -file <your_ssl_cert.cer>'
• Now, copy the <keystore_filename> to the <PMP_Home>/conf folder.

Step 5: Finally, configure the PMP server to use the keystore with your SSL certificate:

• Go to¾the <PMP_Home>/conf folder.
• Open the file¾server.xml.
• Search for the entry 'keystoreFile', which will have the default value set to 'conf/server.keystore'. Change the value to 'conf/<keystore_filename>', where <keystore_filename> is the one used in the previous steps.
• Starting from version 9700, the keystore password is encrypted and cannot be updated directly in the server.xml file.¾In order to manually update the keystore password in the¾.xml file, disable the encryption first, by¾changing the value 'keystorePassEncrypted=true' to 'keystorePassEncrypted=false.

  Note: This step is applicable only if you're using the version 9700 or above.

• Set the value of 'keystorePass' to 'passtrix' or the password you specified in the previous step while creating the keystore.
• Restart the PMP server and connect through the web browser. If you¾are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP.

Note: Tomcat, by default, accepts only the JKS (Java Key Store) and PKCS #12 format keystores. In case, the keystore is of PKCS #12 format, include the following option in the server.xml file along with the keystore name, keystoreType='PKCS12? This notifies tomcat that the format is PKCS12. Restart the server after this change.

4. Generating Signed SSL certificates by installing an existing wild card supported SSL certificate:

• Go to the <PMP_Home>/conf folder.
• Open the file server.xml.
• Search for the entry 'keystoreFile', which will have the default value set to 'conf/server.keystore'. Change the value to 'conf/<keystore_filename>' where <keystore_filename> belongs to the existing wild-card certificate.
• Also search for the entry 'keystorePass' (found next to the keystoreFile), which will have the default value set to 'passtrix'. Change the value to '<keystore_password>', where <keystore_password> protects the existing wild-card certificate keystore.
• Restart the PMP server and connect through the web browser console. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP.

Note: Please refer your CA's documentation for more details and troubleshooting.

4. How do I generate Unique SSL Certificate for MySQL Server? (Applicable for PMP 6500 onwards)

Follow the steps below to generate SSL certificate for MySQL Server. (If you want to have a self-signed key, follow all the steps. If you are using a CA signed certificate, skip steps 1, 2 and 5.)

Step 1 Create certificate authority key

• Open a command prompt
• Execute the command openssl genrsa -out ca.key 1024
• This will create a key named ca.key
  

Step 2 Create a self-signed certificate authority certificate

• Execute the command openssl req -new -x509 -days 365 -key ca.key -out CAcert.pem
  
• Here ca.key is the file you created in step 1
  
• This will create a file named CAcert.pem
  

Step 3 Generate private key

• Open a command prompt
• Execute the command openssl genrsa -out ServerKey.key 1024
• This will create a file named ServerKey.key
  

Step 4 Generate a certificate request

• Execute the command openssl req -new -key ServerKey.key -out server.csr
• Here, ServerKey.key is the file you created in step 3
• This will create a file named server.csr

Step 5 Create a Certificate Signing Request (CSR) for submission to a certificate authority (perform this step only if you are using a self-signed certificate. Otherwise, proceed to step 6)

• Execute the command openssl x509 -req -days 365 -in server.csr -CA CAcert.pem -CAkey ca.key -set_serial 01 -out ServerCer.cer
  
• Here, server.csr is the file you created in Step 4; CAcert.pem is the file created in Step 2; ca.key is the file created in Step 2
• This will create a file named ServerCer.cer
  

Step 6 Generate .p12 file

• Execute the command openssl pkcs12 -export -in ServerCer.cer -inkey ServerKey.key -out PMPKeyStore.p12 -name pmp -CAfile CAcert.pem -caname pmp -chain
• Here, ServerCer.cer is the file you created in Step 5. If you are using a CA signed certificate, enter the signed SSL certificate with .cer extension; ServerKey.key is the one you created in Step 3; CAcert.pem is the file created in Step 2
• This will create a file named PMPKeyStore.p12
• Here, you will be prompted to enter 'Export Password'. The password specified here has to be entered in PMP configuration file in wrapper.conf (in Windows installation) and wrapper_lin.conf (in Linux installation) as explained below.
  Open wrapper.conf (in Windows installation) and wrapper_lin.conf (in Linux installation) and search for the following line:
  wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=passtrix
  In the above, replace passtrix with the password you have entered above.

Step 7 Configure the PMP server to use the keystore with your SSL certificate

• By executing the above steps, you would have got four files namely CAcert.pem, ServerKey.key, ServerCer.cer and PMPKeyStore.p12. You need to copy and paste these files into <PMP-Installation-Folder>/conf directory
  

Step 8 Import CAcert.pem into PMP

• Navigate to <PMP-Installation-Folder>/bin directory and execute the following command:

In Windows: importcert.bat <absolute path of the CAcert.pem file created in step 2>
In Linux: sh importcert.shbat <absolute path of the CAcert.pem file created in step 2>

Step 9 Put these files into MySQL

• You need to copy the following three files created after Step 6 and rename them as below:

CAcert.pem to be renamed as ca-cert.pem
ServerKey.key to be renamed as server-key.pem
ServerCer.cer to be renamed as server-cert.pem

• Then, put the renamed files into <PMP-Installation-Folder>/mysql/data directory

Important Note: If you are having High Availability setup, execute the steps 7, 8 and 9 in PMP secondary installation also.

5. Can we create server certificate with SubjectAlternativeName (SAN)?

Yes, you can create a certificate using SAN name with an alias name and can apply in PMP.

Method 1: Creating certificate with SAN using Microsoft internal CA

Make sure you follow the below mentioned steps to create server certificate with SubjectAlternativeName using Microsoft Internal CA. Also, in Additional Attributes, specify the 'san:dns=<The URL which you use to access PMP>' and then can try creating the certificate.

Step 1: Connect to the server where Microsoft Certificate Service is running.

Step 2: Open a command prompt and execute certutil -setreg policyEditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

Step 3: Then, restart Microsoft Certificate Service(certsvc)

Step 4: Create the private key using the below command, 'keytool -genkey -alias pmp -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore pmp.keystore'

Here, when it prompts for first and last name, specify the name which you use to access PMP.

Step 5: Create the Certificate Signing Request(CSR) using the below command: 'keytool -certreq -keyalg RSA -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore pmp.keystore'

• Submit CSR request to Microsoft Internal CA
  • Open IE and go to your CA's certificate request page
  • Request advanced certificate
  • Submit a certificate request
  • Copy and paste content of <csr_filename>.cer file
  • Certificate template should be Web Server
  • In 'Additional Attributes', enter 'san:dns=password manager&dns=passwordmanager.tcu.ad.local' and click submit.
  • Download the certificate chain in base64 format as pmpcert.p7b

Step 6: Import the downloaded 'pmpcert.p7b' file into the pmp.keystore 'keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore pmp.keystore -trustcacerts -file pmpcert.p7b'

Note : If you receive the error message 'Failed to establish chain from reply' with the above command, it means the root and intermediate certs of your CA are not available in the trusted store of the Password Manager Pro. So, before importing the actual certificate, you have to import the root certificate with a different alias and then the actual certificate. Also, if you have multiple root certificate then you have to import them one by one with the different alias name. For example,

./keytool -import -alias root1 -keypass Password123 -storepass Password123 -keystore PMP.keystore -trustcacerts -file root1.cer

./keytool -import -alias root2 -keypass Password123 -storepass Password123 -keystore PMP.keystore -trustcacerts -file root2.cer

Based on the number of root or intermediate root, you have to execute the above command with a different alias name and then continue with the actual certificate.

Note : The actual certificate should be in .cer or .crt format.

Step 7: Go to <PMP_Home>/conf folder

Step 8: Open the file server.xml

Step 9: Search for the entry 'keystoreFile', which will have the default value set to 'conf/server.keystore'. Change the value to 'conf/<keystore_filename>' where <keystore_filename> is the one used in the previous steps.

Step 10: Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to 'passtrix'. Change the value to '<keystore_password>' where <keystore_password> is the one used in the previous steps.

Step 11: Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP.

This above steps will configure SSL certificate for the web server(7272). To apply the same certificate on RDP gateway(port 7273) follow the below mentioned steps.

• Edit the wrapper.conf file present inside <PMP-Home>/conf folder with wordpad/notepad++
• Search for the text 'wrapper.java.additional.21=-Djavax.net.ssl.keyStore=../conf/server.keystore' and replace it with 'wrapper.java.additional.21=-Djavax.net.ssl.keyStore=../conf/yourSSL.keystore' where <SSL.keystore> is the keystore file.
• Search for 'wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=passtrix' and replace it with 'wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=password' where <password> is password of keystore file

Method 2: Creating certificate with SAN sing third party vendor like GoDaddy, Verisign, Commodo etc.

Make sure you follow the below mentioned steps to get SAN certificate signed from third party vendors

Step 1: Create the private key using the below command, 'keytool -genkey -alias pmp -keyalg RSA -keypass <privatekey_password> -storepass <keystore_password> -validity <no_of days> -keystore pmp.keystore'

Here, when it prompts for first and last name, specify the name which you use to access PMP.

Step 2: Create the Certificate Signing Request(CSR) using the below command: 'keytool -certreq -keyalg RSA -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -file <csr_filename> -keystore pmp.keystore'

Step 3: Submit CSR request to third party signing tool and ensure to get the certificate signed using SAN name. Download the certificate chain in base64 format as pmpcert.p7b

Step 4: Import the downloaded 'pmpcert.p7b' file into the pmp.keystore keytool -import -alias pmp -keypass <privatekey_password> -storepass <keystore_password> -keystore pmp.keystore -trustcacerts -file pmpcert.p7b

Note: If you receive the error message 'Failed to establish chain from reply' with the above command. Then, the root and intermediate certs of your CA are not available in the trusted store of the Password Manager Pro. So, before importing the actual certificate, you have to import the root certificate with a different alias and then the actual certificate. Also, if you have multiple root certificate then you have to import them one by one with the different alias name. Example are below

./keytool -import -alias root1 -keypass Password123 -storepass Password123 -keystore PMP.keystore -trustcacerts -file root1.cer

./keytool -import -alias root2 -keypass Password123 -storepass Password123 -keystore PMP.keystore -trustcacerts -file root2.cer

Based on the number of root or intermediate root, you have to execute the above command with a different alias name and then continue with the actual certificate.

Note: The actual certificate should be in .cer or .crt format.

Step 5: Go to <PMP_Home>/conf folder

Step 6: Open the file server.xml

Step 7: Search for the entry 'keystoreFile', which will have the default value set to 'conf/server.keystore'. Change the value to 'conf/<keystore_filename>' where <keystore_filename> is the one used in the previous steps.

Step 8: Also search for the entry 'keystorePass' (which will infact be next to keystoreFile), which will have the default value set to 'passtrix'. Change the value to '<keystore_password>' where <keystore_password> is the one used in the previous steps.

Step 9: Restart the PMP server and connect through the web browser. If you are able to view the PMP login console without any warning from the browser, you have successfully installed your SSL certificate in PMP.

This above steps will configure SSL certificate for the web server(7272). To apply the same certificate on RDP gateway(port 7273) follow the below mentioned steps.

• Edit the wrapper.conf file present inside <PMP-Home>/conf folder with wordpad/notepad++
• Search for the text 'wrapper.java.additional.21=-Djavax.net.ssl.keyStore=../conf/server.keystore' and replace it with 'wrapper.java.additional.21=-Djavax.net.ssl.keyStore=../conf/yourSSL.keystore' where <SSL.keystore> is the keystore file.
• Search for 'wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=passtrix' and replace it with 'wrapper.java.additional.22=-Djavax.net.ssl.keyStorePassword=password' where <password> is password of keystore file.

Password Synchronization

1. Can I also change resource passwords from the PMP console?

Yes, of course. PMP can change the passwords currently for Windows, Windows domain and Linux systems. Capability to change passwords of other types of resources like databases, routers, switches etc will be gradually added. PMP supports both agent-based and agent-less modes of changing passwords.

2. When to use the agent and agent-less modes for password synchronization?

Let us first look at the requisites for both the modes:

The agent mode requires the agent to be installed as a service and run with administrative privileges to perform password changes. The communication between the PMP server and agent takes place through TCP for normal information and HTTPS for password transfer and hence communication paths must exist (ports to be kept open) between the server and agent.

For the agent-less mode, you must supply administrative credentials to perform the password changes. For Linux you must specify two accounts, one with root privileges and one with normal user privileges that can be used to login from remote. Telnet or SSH service must be running on the resources. For Windows domain, you must supply the domain administrator credentials. For Windows and Windows domain, PMP uses remote calls and relevant ports must be open on the resource.

Based on this you can choose which mode you want for your environment, indicated by the following tips:

Choose agent mode when,

• you do not have administrative credentials stored for a particular resource in PMP
• you do not have the required services running on the resource (Telnet / SSH for Linux, RPC for Windows)
• you run PMP in Linux and want to make password changes to a Windows resource

Choose agent less mode in all other cases as it is a more convenient and reliable way of doing password changes.

3. Can I enable agent less password synchronization if I add my own resource type for other distributions of Linux / other versions of Windows?

Yes, you can. As long as your resource type label contains the string 'Linux' or 'Windows', you can still configure agent less password synchronization for those resources.

Example of valid resource type labels to enable password synchronization:

Debian Linux, Linux - Cent OS, SuSE Linux, Windows XP Workstation, Windows 2003 Server

4. Is there a way to do remote password synchronization for resource types other than the ones for which remote reset is supported now?

Yes, you can make use of Password Reset Listeners, which enable invoking a custom script or executable as a follow-up action to Password Reset action in PMP. Refer to Help Documentation for more details.

5. How to troubleshoot when password synchronization does not happen?

In the agent mode,

• Check if the agent is running by looking at the Windows active process list for the entry 'PMPAgent.exe' or the presence of a process named PMPAgent in Linux
• Check if the account in which the agent is installed has sufficient privileges to make password changes

In the agent less mode,

• Check if the right set of administrative credentials have been provided and the remote synchronization option is enabled
• Check if the necessary services are running on the resource (Telnet / SSH for Linux, RPC for Windows)
• Check if the resource is reachable from the PMP server using the DNS name provided

6. Windows domain password reset fails with the error message: 'The authentication mechanism is unknown'

This happens when PMP is run as a Windows service and the 'Log on as' property of the service is set to the local system account. Change it to any domain user account to be able to reset domain passwords. Follow the instructions below to effect that setting:

• Go to the Windows Services applet (from Control Panel --> Administrative Tools --> Services)
• Select the 'ManageEngine PMP' service, right-click --> choose Properties
• Click the Log On tab and choose the 'This Account' radio button and provide the user name and password of any domain user - in the format <domainname><username>
• Save the configuration and restart the server

7. What are the prerequisites for enabling Windows Service Account Reset?

Before enabling windows service account reset, ensure if the following services are enabled in the servers where the dependent services are running:

(1) Windows RPC service should have been enabled
(2) Windows Management Instrumentation (WMI) service should have been enabled

Backup & Disaster Recovery

1. Can I setup disaster recovery for the PMP database?

Yes, you can. PMP can periodically backup the entire contents of the database, which can be configured through the PMP console. Refer help documentation for more details.

2. Where does the backup data get stored? Is it encrypted?

All sensitive data in the backup file are stored in encrypted form in a .zip file under <PMP_Install_Directory/backUp> directory. It is recommended that you backup this file in your secure, secondary storage for disaster recovery.

Troubleshooting & General Tips

1. Do I need any pre-requisite software to be installed before using PMP?

There is no prerequisite software installation required to use PMP.

2. Can others see the resources added by me?

Except super administrators (if configured in your PMP set up), no one, including admin users will be able to see the resources added by you. Apart from this, if you decide to share your resources with other administrators, they will be able to see them.

3. Can I add my own attributes to PMP resources?

Yes, you can extend the attributes of the PMP resource and user account to include details that are specific to your needs. Refer the help documentation for more details.

4. What if a user who has not shared his sensitive passwords, leaves the enterprise?

This can very well happen in any enterprise, but with PMP you need not worry about passwords getting orphaned. Administrators can 'transfer' resources owned by users to other administrator users and in the process they have no access to those resources themselves, unless they do the transfer to their name. Refer the help documentation for more details.

5. Importing users/resources from AD fails...

Ensure the following:

• Check if the user credentials are correct
• If you are trying with an admin user and it fails, try entering the credentials of a non-admin user. This is just to verify if connection could be established properly

In case, if fails even after ensuring the above, contact passwordmanagerpro-support@manageengine.com.

6. Does PMP provide high availability support?

Yes, refer to Help Documentation for more details

7. How to make the PMP application work with a MySQL database server installed in a separate machine (other than the one in which PMP server is running)?

It is always recommended to run the PMP application (built over Tomcat web server) and the MySQL database in the same machine for better security. We have configured the bundled MySQL database so as it is not visible outside the machine in which it is installed (it will accept connections requested only from localhost) and you will lose this aspect when you separate them. If there is a pressing need to run MySQL elsewhere, follow the procedure detailed below:

• Shutdown PMP server if it is already running
• Install MySQL server in a different machine and create a database named 'PassTrix' (the casing is important, particularly in Linux)
• Start the MySQL server and make sure you are able to connect to the database from remote (using the MySQL command line client)
• Make the following configuration changes in PMP
  • Go to <PMP_Install_Dir>confPersistence folder
  • Open the file persistence-configurations.xml and search for the entry 'StartDBServer' and set its value to 'false' (default will be 'true')
  • Save that file
  • Go to <PMP_Install_Dir>conf folder
  • Open the file database_params.txt and make the following changes
    • In the URL property, change the entries 'localhost' and '5768' to the hostname and port number corresponding to the remote MySQL server
    • If you want to connect as root leave the username property as is. Otherwise make appropriate changes to that property. Note that PMP requires root privileges in MySQL
    • If you have set a password in the remote MySQL server specify it against the password property. Otherwise remove or comment out that line
    • Save that file
• Now start the PMP server again and it should work with the remote database (which should be already running)

8. Can I rebrand PMP with our logo?

Yes. If you want to replace the PMP logo appearing on the login screen and on the web-interface with that of yours, you can do so from the web-interface itself. It is preferable to have your logo of the size 210 * 50 pixels.

To rebrand the logo,

• Go to the 'Admin' tab
• Click 'Customize >> Rebrand'
• Browse and choose the required image
• Click 'Save'
• The PMP will appear with rebranded look

9. Does domain SSO work across firewalls / VPNs?

The domain Single Sign On (windows integrated authentication) is achieved in the Windows environment by setting non-standard parameters in the HTTP header, which are usually stripped off by devices like firewalls / VPNs. PMP is designed for use within the network. So, if you have users connecting from outside the network, you cannot have SSO this enabled.

10. Does PMP record Password viewing attempts and retrievals by users?

Yes, PMP records all operations performed by the user including the password viewing and copying operations. From audit trails, you can get a comprehensive list of all the actions and attempts by the users with password retrieval. The list of operations that are audited (with the timestamp and the IP address) includes:

• User accounts created, deleted and modified
• Users logging in and logging off the application
• Resources and passwords created, accessed, modified and deleted

11. Why does the size of PostgreSQL wal_archive file increase at a rapid pace?

This issue occurs when the backup location specified in PMP is no longer accessible to save the backup file. In simple terms, whenever the PostgreSQL database backup fails, wal_archive folder size will start increasing.

Solution:

• Check if there is enough disk space available on the PMP drive.
• If not, remove the logs directory and a few files present inside Check Configuration'
• In the pop-up box that opens, the configuration status will be displayed.

13. What's the maximum size of a password that Password Manager Pro can store?

The resource passwords are stored as encrypted text (SQL type TEXT) in the database and hence the size of the content can be upto 64KB. For the PMP application login password, the maximum password length is 100 characters.

Licensing

1. What is the Licensing Policy for PMP?

Evaluation Edition - Evaluation Edition allows you to have 2 administrators in for 30 days. You can manage unlimited resources and evaluate all features of Enterprise Edition. During evaluation you can get free technical assistance.

Free Edition - Download valid for ever, capable for supporting a maximum of 1 administrator. You can manage a maximum of 10 resources and you will all functionalities of Standard Edition.

Registered Version - need to buy license based on the number of administrators required and the type of edition Standard/Premium/Enterprise:

• Standard - If your requirement is to have a secure, password repository to store your passwords and selectively share them among enterprise users, Standard Edition would be ideal.
• Premium - Apart from storing and sharing your passwords, if you wish to have enterprise-class password management features such as remote password synchronization, password alerts and notifications, application-to-application password management, reports, high-availability and others, Premium edition would be the best choice.
• Enterprise - If you require more enterprise-class features like auto discovery of privileged accounts, integration with ticketing systems and SIEM solutions, jump server configuration, application-to-application password management, out-of-the-box compliance reports, SQL server / cluster as backend database, Enterprise edition will be ideal.

Know the difference ..

Feature	Premium Edition
Centralized password vault
Manual resource addition
Import resources from CSV files
Import resources from KeePass
Import resources from Active Directory
Password policies
Password sharing and management
Audit and instant notifications
User / User group management
Local authentication
RADIUS authentication
AD / Azure AD / LDAP integration
AD / Azure AD Sync - User groups & OUs
Export passwords for offline access
Password reset listener
Backup and recovery provisions
Remote RDP, SSH, Telnet, and SQL sessions
Two-factor authentication - OTP sent via email
Rebranding
Mobile access (Android, iOS, Windows)
Browser extensions (Chrome, Firefox, IE)
Check the validity of digital certificates
VNC Support for collaboration
Transfer approver privileges
IIS AppPool password reset
IIS Web.Config discovery
SSL certificate groups
Password protected exports
Backup file encryption
Backup file encryption
Managing unidentified email addresses
Emergency measures
Personalization of user interface (Night-mode theme)
Notification Email IDs
SAML 2.0 support
Microsoft CA certificate signing
CMDB integration for SSL certificate synchronization privacy settings
Password reset plugin
SSH Keys and SSL certificates
User sessions
Trash users
IP restrictions - API access and agent access
Disable password resets for privileged accounts
Auto logon helper
Password access control workflow
Admin dashboard (Live feeds, reports and graphs)
Password action notifications (Resource group-specific)
Remote password reset (On-demand, scheduled, and action-based) - List of supported platforms
Agent-based password reset
Canned reports
Two-factor authentication - PhoneFactor, RSA SecurID, Google Authenticator, Duo Security, YubiKey, any RADIUS-compliant authentication, Microsoft Authenticator, Okta Verify
High availability
Privileged session recording
Password Reset using SSH Command Sets
CI/CD Platform Integration - Jenkins, Ansible
MS SQL server as backend database
Password management API (XML RPC, SSH CLI)
Privileged accounts discovery
Active Directory sync - resources
LDAP sync - user and user groups
Automated SSH/SSL Discovery
SSH key pair lifecycle management
SSH keys periodic rotation
CSR Process management
SSL certificate deployment and tracking
SSL certificate management
SSL vulnerability scanning
SSL certificate expiration alerts
Role customization
Ticketing system integration - ServiceDesk Plus On-Demand, ServiceDesk Plus MSP, ServiceDesk Plus, ServiceNow, JIRA Service Desk
Custom password reset listeners
Scheduled export of encrypted HTML files
SIEM Integration - SNMP traps & Syslog messages Generation
Email templates for notification configuration
Landing server configuration
Federated identity management
Smart card / PKI / Certificate authentication
Two-factor authentication - RADIUS
Custom reports
Out-of-the-box Compliance Reports (PCI DSS, NERC-CIP, ISO/IEC 27001, GDPR)
SQL query reports
Privileged session shadowing and termination
SQL server failover clustering
RESTful API
Encryption key rotation
Data encryption and protection with SafeNet HSM
MS SQL server as backend database
Encryption key rotation
Certificate lifecycle management with Let's Encrypt
Role customization
EAR Support while using MS SQL as backend database
Purging selective session recordings signing certificates using custom root CA
Track domain expirations
File transfers over remote desktop sessions
Secure cloud storage options

Can I buy a permanent license for PMP? What are the options available?

Though PMP follows an annual subscription model for pricing, we also provide perpetual licensing option. The perpetual license will cost approximately three times the annual subscription price, with 20% AMS from the second yea onwards. Contact sales@manageengine.com and passwordmanagerpro-support@manageengine.com for more details.

I want to have a High Availability setup with multiple servers. Will a single license suffice for this?

Yes, if you buy a single Premium or Enterprise Edition license, you are entitled to have the High Availability setup. You can apply the same license on the Primary as well as the Secondary servers. Follow the below steps:

1. Stop the PMP service in the Primary server.
2. Login PMP using the Secondary server URL as an Administrator.
3. Tap License under the User menu, at the top right corner of the console.
4. Update the same license file which you applied for the Primary server.

Can PMP support more than 100 administrators?

Yes, very much. If you want a license with more than 100 administrator users, please contact sales@manageengine.com and passwordmanagerpro-support@manageengine.com for more details.

Can I extend my evaluation to include more administrator users or for more number of days?

Yes. Fill in the required details in the website and we will send you the license keys.

Do I have to reinstall PMP when moving to Premium or Enterprise Editions?

No. You need not have to reinstall or shut down the server. You just need to enter the new license file in the 'License' link present in the top right corner of the PMP web interface.